1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
name: Release
# Publish to crates.io on a version tag. The release runs from a clean checkout,
# so local untracked artifacts (scratch dirs, worktrees) can never enter the
# packaged crate — only the git-tracked tree is published.
on:
push:
tags:
- 'v*.*.*'
permissions:
contents: read
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: false
env:
CARGO_TERM_COLOR: always
RUSTFLAGS: -D warnings
jobs:
publish:
name: publish to crates.io
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
with:
toolchain: stable
# No build cache on the publish path: a poisoned cache could tamper with
# the released artifact. Releases are infrequent — build from clean.
- name: Verify tag matches crate version
run: |
tag="${GITHUB_REF_NAME#v}"
crate="$(cargo metadata --no-deps --format-version 1 | jq -r '.packages[0].version')"
if [ "$tag" != "$crate" ]; then
echo "::error::tag ${GITHUB_REF_NAME} does not match Cargo.toml version ${crate}"
exit 1
fi
- name: cargo test
run: cargo test
- name: cargo publish
run: cargo publish
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}